Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jamf Protect - Alerts

Back
Id6098daa0-f05e-44d5-b5a0-913e63ba3179
RulenameJamf Protect - Alerts
DescriptionCreates an incident based on Jamf Protect Alert data in Microsoft Sentinel
SeverityHigh
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
Version1.0.6
Arm template6098daa0-f05e-44d5-b5a0-913e63ba3179.json
Deploy To Azure
jamfprotectalerts_CL
| extend
    algorithm = "SHA256",
    Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
    Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
    Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
    Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
    JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
tactics: 
name: Jamf Protect - Alerts
suppressionEnabled: false
requiredDataConnectors:
- connectorId: JamfProtect
  dataTypes:
  - jamfprotectalerts_CL
query: |
  jamfprotectalerts_CL
  | extend
      algorithm = "SHA256",
      Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
      Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
      Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
      Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
      JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")  
eventGroupingSettings:
  aggregationKind: AlertPerResult
relevantTechniques: 
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
    enabled: false
description: |
    'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
suppressionDuration: PT5H
severity: High
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: DvcHostname
  - identifier: OSFamily
    columnName: DvcOs
  - identifier: OSVersion
    columnName: DvcOsVersion
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: Host_IPs
  entityType: IP
- fieldMappings:
  - identifier: CommandLine
    columnName: TargetProcessCurrentDirectory
  - identifier: ProcessId
    columnName: TargetProcessId
  entityType: Process
- fieldMappings:
  - identifier: Algorithm
    columnName: algorithm
  - identifier: Value
    columnName: TargetBinarySHA256
  entityType: FileHash
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
version: 1.0.6
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
kind: NRT
alertDetailsOverride:
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
  alertDynamicProperties:
  - alertProperty: ProviderName
    value: EventVendor
  - alertProperty: ProductName
    value: EventProduct
  - alertProperty: Techniques
    value: Techniques
  alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
  alertTacticsColumnName: Tactics
status: Available
customDetails:
  Related_Binaries: TargetBinaryFilePath
  Protect_Tags: Tags
  JamfPro_Status: JamfPro
  TargetBinarySignMsg: TargetBinarySigningInfoMessage
  Protect_Analytic: EventMessage
  Related_File_hash: TargetBinarySHA256
  Protect_Event_Type: EventType
  TargetBinarySigner: TargetBinarySigningTeamID
  TargetbinarySign: TargetbinarySignerType
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
          "alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "EventVendor"
            },
            {
              "alertProperty": "ProductName",
              "value": "EventProduct"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            }
          ],
          "alertSeverityColumnName": "EventSeverity",
          "alertTacticsColumnName": "Tactics"
        },
        "alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
        "customDetails": {
          "JamfPro_Status": "JamfPro",
          "Protect_Analytic": "EventMessage",
          "Protect_Event_Type": "EventType",
          "Protect_Tags": "Tags",
          "Related_Binaries": "TargetBinaryFilePath",
          "Related_File_hash": "TargetBinarySHA256",
          "TargetbinarySign": "TargetbinarySignerType",
          "TargetBinarySigner": "TargetBinarySigningTeamID",
          "TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
        },
        "description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
        "displayName": "Jamf Protect - Alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              },
              {
                "columnName": "DvcOs",
                "identifier": "OSFamily"
              },
              {
                "columnName": "DvcOsVersion",
                "identifier": "OSVersion"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Host_IPs",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "TargetProcessCurrentDirectory",
                "identifier": "CommandLine"
              },
              {
                "columnName": "TargetProcessId",
                "identifier": "ProcessId"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "algorithm",
                "identifier": "Algorithm"
              },
              {
                "columnName": "TargetBinarySHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
        "query": "jamfprotectalerts_CL\n| extend\n    algorithm = \"SHA256\",\n    Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n    Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n    Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n    Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n    JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "templateVersion": "1.0.6"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}